Advanced Threat Hunting for Persistence Using KQL (Kusto Query Language)

Advanced Hunting is a feature of Microsoft Defender for Endpoints (MDE) that allows you to discover and investigate any threat indicators on a network. To do Threat Hunting we must use KQL (Kusto Query Languages). The MDE is a robust Endpoint Detection & Response (EDR) and anti-malware tool.

Threat Hunting for Persistence on Registry Keys

Persistence is an attacker method used by attackers to maintain their access to systems. Attackers make changes to certain registry keys and values so that they can run a script or command every time the computer is restarted. There are numerous registry keys that can be used for persistence. The following registry keys are commonly abused for user-level and system-level:

1. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
2. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
3. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
4. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
5. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

MDE Query to find Registry Persistence

In this query, we’ll search for DeviceRegistryEvents that have modified RegistryValueSet at several locations.

Query to find Registry Keys that create a program run when a user log on and a program that run one time.

Query to find Registry Key that’s used to set the startup folder items.

Query to find registry keys that have control for automatic startup during boot

Threat Hunting for Persistence on Scheduled Tasks

Scheduled Tasks (“schtasks.exe”) provide a user with the ability to create, delete, query, change, run, and end tasks on a computer. An attacker may exploit scheduled tasks because it runs as administrator privileges to execute programs at startup or regular programs to maintain persistence.

The syntax used to create a scheduled task is:

image from: https://docs.microsoft.com/en-us/windows/win32/taskschd/schtasks

Explanation of some parameters

1. /Create : Syntax for creating a new task.
2. /RU : Specifies the user who runs the task “Run As” for the system account. Some valid values are “”, “NT AUTHORITY\SYSTEM”, or “SYSTEM”.
3. /SC : Specifies the schedule frequency. MINUTE, HOURLY, DAILY, WEEKLY, MONTHLY, ONCE, ONLOGON, ONIDLE, and ONEVENT are some examples.
4. /MO : Specifies the schedule type and allows you to modify the repetitive schedules. For example, for HOURLY: 1–23 hours.
5. /TN : Specifies the taskname to easily identify the scheduled task.
6. /TR : Specifies the path and file name of the task that will be run at the scheduled time.
7. /F : Forcefully create the task

MDE Query to find Scheduled Tasks Persistence

To find persistence in scheduled tasks, we must filter on DeviceProcessEvents, which events run schtasks.exe and have a command line /create using an unauthorized user.

Threat hunting for a Persistence Account that has been Created

Referencing to T1136 MITRE ATT&CK Technique attackers may create an account to maintain access to the system. We need to keep an eye on the processes and command-line parameters like net user or useradd to see if this kind of persistence is there.

MDE Query to find Create Account Persistence

We’ll look for DeviceEvents that have UserAccountCreated and the process net.exe has a command line “user” and the user account named “Administrator.”